docs: Add antivirus false positive documentation (bd-t4u1)

Document known Kaspersky false positive issue with Go binaries and
provide user workarounds.

Changes:
- Add comprehensive docs/ANTIVIRUS.md with:
  - Explanation of why Go binaries trigger AV false positives
  - Step-by-step exclusion instructions for Kaspersky, Windows Defender
  - File integrity verification procedures
  - False positive reporting guide
  - FAQ section
- Update docs/TROUBLESHOOTING.md with quick reference section
- Close bd-t4u1: Kaspersky PDM:Trojan.Win32.Generic detection

Root cause: Kaspersky's heuristic detection flags Go binary patterns as
suspicious. This is an industry-wide issue affecting many Go projects.

Build already uses recommended optimizations (-s -w flags). Future
improvements (code signing, vendor whitelist) tracked separately.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

docs/ANTIVIRUS.md

@@ -0,0 +1,171 @@
+# Antivirus False Positives
+
+## Overview
+
+Some antivirus software may flag beads (`bd` or `bd.exe`) as malicious. This is a **false positive** - beads is a legitimate, open-source command-line tool for issue tracking.
+
+## Why This Happens
+
+Go binaries (including beads) are sometimes flagged by antivirus software due to:
+
+1. **Heuristic detection**: Some malware is written in Go, causing antivirus ML models to flag Go-specific binary patterns as suspicious
+2. **Behavioral analysis**: CLI tools that modify files and interact with git may trigger behavioral detection
+3. **Unsigned binaries**: Without code signing, new executables may be treated with suspicion
+
+This is a **known industry-wide problem** affecting many legitimate Go projects. See the [Go project issues](https://github.com/golang/go/issues/16292) for examples.
+
+## Known Issues
+
+### Kaspersky Antivirus
+
+**Detection**: `PDM:Trojan.Win32.Generic`
+**Affected versions**: bd.exe v0.23.1 and potentially others
+**Component**: System Watcher (Proactive Defense Module)
+
+Kaspersky's PDM (Proactive Defense Module) uses behavioral analysis that commonly triggers false positives on Go executables.
+
+## Solutions for Users
+
+### Option 1: Add Exclusion (Recommended)
+
+Add beads to your antivirus exclusion list:
+
+**Kaspersky:**
+1. Open Kaspersky and go to Settings
+2. Navigate to Threats and Exclusions → Manage Exclusions
+3. Click Add → Add path to exclusion
+4. Add the directory containing `bd.exe` (e.g., `C:\Users\YourName\AppData\Local\bd\`)
+5. Select which components the exclusion applies to (scan, monitoring, etc.)
+
+**Windows Defender:**
+1. Open Windows Security
+2. Go to Virus & threat protection → Manage settings
+3. Scroll to Exclusions → Add or remove exclusions
+4. Add the beads installation directory or the specific `bd.exe` file
+
+**Other antivirus software:**
+- Look for "Exclusions", "Whitelist", or "Trusted Applications" settings
+- Add the beads installation directory or executable
+
+### Option 2: Verify File Integrity
+
+Before adding an exclusion, verify the downloaded file is legitimate:
+
+1. Download beads from the [official GitHub releases](https://github.com/steveyegge/beads/releases)
+2. Verify the SHA256 checksum matches the `checksums.txt` file in the release
+3. Check the file is signed (future releases will include code signing)
+
+**Verify checksum (Windows PowerShell):**
+```powershell
+Get-FileHash bd.exe -Algorithm SHA256
+```
+
+**Verify checksum (macOS/Linux):**
+```bash
+shasum -a 256 bd
+```
+
+Compare the output with the checksum in `checksums.txt` from the release page.
+
+### Option 3: Report False Positive
+
+Help improve detection accuracy by reporting the false positive:
+
+**Kaspersky:**
+1. Visit [Kaspersky Threat Intelligence Portal](https://opentip.kaspersky.com/)
+2. Upload the `bd.exe` file for analysis
+3. Mark it as a false positive
+4. Reference: beads is open-source CLI tool (https://github.com/steveyegge/beads)
+
+**Windows Defender:**
+1. Go to [Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/filesubmission)
+2. Submit the file as a false positive
+3. Provide details about the legitimate software
+
+**Other vendors:**
+- Check their website for false positive submission forms
+- Most major vendors have a process for reviewing flagged files
+
+## For Developers/Distributors
+
+If you're building beads from source or distributing it:
+
+### Current Build Configuration
+
+Beads releases are built with optimizations to reduce false positives:
+
+```yaml
+ldflags:
+  - -s -w  # Strip debug symbols and DWARF info
+```
+
+These flags are already applied in the official builds.
+
+### Code Signing (Future)
+
+Future releases may include Windows code signing to improve trust scores with antivirus vendors. Code signing:
+- Reduces false positive rates over time
+- Builds reputation with SmartScreen/antivirus vendors
+- Provides tamper verification
+
+### Alternative Build Methods
+
+Some users report success with:
+```bash
+go build -ldflags "-s -w" -o bd ./cmd/bd
+```
+
+However, results vary by antivirus vendor and version.
+
+## Frequently Asked Questions
+
+### Is beads safe to use?
+
+Yes. Beads is:
+- Open source (all code is auditable on [GitHub](https://github.com/steveyegge/beads))
+- Signed releases include checksums for verification
+- Used by developers worldwide
+- A simple CLI tool for issue tracking
+
+### Why don't you just fix the code to avoid detection?
+
+The issue isn't specific to beads' code - it's a characteristic of Go binaries in general. Changing code won't reliably prevent heuristic/behavioral detection. The proper solutions are:
+1. Code signing (builds trust over time)
+2. Whitelist applications with antivirus vendors
+3. User reports of false positives
+
+### Will this be fixed in future releases?
+
+We're working on:
+- Submitting beads to antivirus vendor whitelists
+- Adding code signing for Windows releases
+- Continuing to use build optimizations
+
+However, false positives may still occur with new releases until reputation is established.
+
+### Should I disable my antivirus?
+
+**No.** Instead:
+1. Add beads to your antivirus exclusions (safe and recommended)
+2. Keep your antivirus enabled for other threats
+3. Verify checksums of downloaded files before adding exclusions
+
+## Reporting Issues
+
+If you encounter a new antivirus false positive:
+
+1. Open an issue on [GitHub](https://github.com/steveyegge/beads/issues)
+2. Include:
+   - Antivirus software name and version
+   - Detection/threat name
+   - Beads version (`bd version`)
+   - Operating system
+
+This helps us track and address false positives across different antivirus vendors.
+
+## References
+
+- [Kaspersky False Positive Guide](https://support.kaspersky.com/1870)
+- [Go Binary False Positives Discussion](https://www.linkedin.com/pulse/go-false-positives-melle-boudewijns)
+- [Go Project Issue Tracker](https://github.com/golang/go/issues/16292)
+- [Kaspersky Community Forum](https://forum.kaspersky.com/topic/pdmtrojanwin32generic-54425/)

docs/TROUBLESHOOTING.md

@@ -5,6 +5,7 @@ Common issues and solutions for bd users.
 ## Table of Contents
 
 - [Installation Issues](#installation-issues)
+- [Antivirus False Positives](#antivirus-false-positives)
 - [Database Issues](#database-issues)
 - [Git and Sync Issues](#git-and-sync-issues)
 - [Ready Work and Dependencies](#ready-work-and-dependencies)
@@ -78,6 +79,44 @@ sudo mv bd /usr/local/bin/
 
 If you installed via Homebrew, this shouldn't be necessary as the formula already enables CGO. If you're still seeing crashes with the Homebrew version, please [file an issue](https://github.com/steveyegge/beads/issues).
 
+## Antivirus False Positives
+
+### Antivirus software flags bd as malware
+
+**Symptom**: Kaspersky, Windows Defender, or other antivirus software detects `bd` or `bd.exe` as a trojan or malicious software and removes it.
+
+**Common detections**:
+- Kaspersky: `PDM:Trojan.Win32.Generic`
+- Windows Defender: Various generic trojan detections
+
+**Cause**: This is a **false positive**. Go binaries are commonly flagged by antivirus heuristics because some malware is written in Go. This is a known industry-wide issue affecting many legitimate Go projects.
+
+**Solutions**:
+
+1. **Add bd to antivirus exclusions** (recommended):
+   - Add the bd installation directory to your antivirus exclusion list
+   - This is safe - beads is open source and checksums are provided
+
+2. **Verify file integrity before excluding**:
+   ```bash
+   # Windows PowerShell
+   Get-FileHash bd.exe -Algorithm SHA256
+
+   # macOS/Linux
+   shasum -a 256 bd
+   ```
+   Compare with checksums from the [GitHub release page](https://github.com/steveyegge/beads/releases)
+
+3. **Report the false positive**:
+   - Help improve detection by reporting to your antivirus vendor
+   - Most vendors have false positive submission forms
+
+**Detailed guide**: See [docs/ANTIVIRUS.md](ANTIVIRUS.md) for complete instructions including:
+- How to add exclusions for specific antivirus software
+- How to report false positives to vendors
+- Why Go binaries trigger these detections
+- Future plans for code signing
+
 ## Database Issues
 
 ### `database is locked`